Azure AD Shortcuts

1 minute read

NOTE: Check out https://cmd.ms. The new and improved version of this.

I’m a command line guy and hate having to click to get to various Azure AD pages. Over time I created these shortcuts and thought you might find them helpful.

Here is how it works. Open a new tab and type aka.ms/ad/{command}

Where shortcut is one of the commands below.

aka.ms Command Portal Blade
aka.ms/ad/ca ca Conditional Access
aka.ms/ad/pim pim Privileged Identity Management
aka.ms/ad/users users Users
aka.ms/ad/groups groups Groups
aka.ms/ad/devices devices Devices
aka.ms/ad/apps apps Enterprise Applications
aka.ms/ad/appreg appreg Application Registrations
aka.ms/ad/auth auth Authentication Methods Policies
aka.ms/ad/legacymfa legacymfa Legacy MFA
aka.ms/ad/guests guests Guest Access Settings
aka.ms/ad/logs logs Sign in Logs
aka.ms/ad/xtap xtap Cross Tenant Access Settings
aka.ms/ad/roles roles Azure AD Roles
aka.ms/ad/sspr sspr Password Reset
aka.ms/ad/security security Security
aka.ms/ad/mfaunblock mfaunblock MFA Unblock
aka.ms/ad/reviews reviews Access Reviews
aka.ms/ad/score score Secure Score
aka.ms/ad/license license Licenses
aka.ms/ad/synclog synclog AAD Connect Sync Errors
aka.ms/ad/adfslog adfslog ADFS Log
aka.ms/ad/consent consent Consents and Permissions
aka.ms/ad/support support Support
aka.ms/ad/list list List all these shortcuts

If you liked those here are some of my favourite Identity related shortcuts.

aka.ms Page
aka.ms/azad Azure AD Portal
aka.ms/sspr Self Service Password Reset
aka.ms/mysecurity My Security
aka.ms/myapps My Apps
aka.ms/my-account My Account
aka.ms/my-groups My Groups
aka.ms/my-access My Access Packages
aka.ms/mystaff My Access Packages
aka.ms/mfasetup Alternative for My Security
aka.ms/ge Graph Explorer
aka.ms/ge Intune

Have I missed anything? Have new suggestions? Let me know at twitter.com/merill.

Graph PowerShell Conversion Analyzer

1 minute read

Screenshot of Graph PowerShell Analyzer

Hey folks, I took part in a hackathon last week and built the Graph PowerShell Conversion Analyzer. Hopefully, this will help a bit as you upgrade your AzureAD & MSOnline PowerShell scripts to Graph PowerShell.

It’s very rough right now but I would love to hear your feedback.

Try it out at https://graphpowershell.merill.net

You start by pasting in one of your old scripts that you want to upgrade to Graph PowerShell and clicking the Analyze button.

This will generate a report of all the Azure AD PowerShell and MSOnline commands that were found along with a mapping to its corresponding Graph PowerShell command. The sample generated will try to map the parameters to the new command.

This is where I still need to do a lot more work to make it really useful.

Screenshot of Analysis Report

Where possible you also get direct links to both the Graph PowerShell command reference as well as the Graph API reference (which usually has more relevant info).

No more hunting around and searching the docs!

Screenshot showing links to the docs

The last bit is where you the community can really help us and each other out. We’ve started an open repository of sample Graph PowerShell scripts at https://aka.ms/graphsamples

We would love to make this the largest collection of Graph PowerShell sample scripts. It’s open to everyone to contribute so please share your scripts (even one-liners).

Screenshot of the Graph samples community

Let me know what you think. If you have any ideas on how this can be improved I’m all ears!

Get-MgUser_List1: Expect simple name=value query, but observe property 'assignedLicenses' of complex type 'AssignedLicense'.

less than 1 minute read

Are you seeing this message when trying to get user license information using the Graph API.

_Expect simple name=value query, but observe property ‘assignedLicenses’ of complex type ‘AssignedLicense’.

     Get-MgUser -Filter 'assignedLicenses/$count eq 0'
    Get-MgUser_List1: Expect simple name=value query, but observe property 'assignedLicenses' of complex type 'AssignedLicense'.

The fix is quite simple. Set the ConsistencyLevel header to eventual and pass in a variable to store the count of the result set and you are good to go.

     Get-MgUser -Filter 'assignedLicenses/$count eq 0' -ConsistencyLevel eventual -CountVariable licensedUserCount -All
    
    Id                                   DisplayName     Mail                           UserPrincipalName
    --                                   -----------     ----                           -----------------
    1468b68b-8536-4bc5-ab1f-6014175b836d merill-fdo      merill-fdo@yopmail.net         merill-fdo_yopmail.net#E…
    160f8064-a20c-4236-bdf4-3393003e916b Ezra Brand      ezra@fdo.net                   ezra_fdo.net#EXT#@pora.n…
    37e5a3d1-f92b-4a12-bb35-91bf80969810 Joshua Sal      user2@fakedomain.com           user2_fakedomain.com#EXT…
    5c8537e4-7d7f-4920-a921-382d91fa53fd Fake Damain     user@fakedomain.com            user_fakedomain.com#EXT#…
    640885de-9652-4fb2-8a87-963cc2f599a0 Chris Green     chris.green@yopmail.net        chris.green_yopmail.net#…

Azure AD Nudge (Authenticator registration campaign) failing to prompt users

1 minute read

Getting users to go to the aka.ms/mysecurityinfo page and set up the Authenticator app for MFA is not an easy task.

Azure AD’s ‘Nudge’ feature allows you to run a Microsoft Authenticator registration campaign that interrupts a user signing in with SMS and nudges them to set up the Authenticator app.

If you set this up but are not seeing users being nudged/prompted with the ‘Improve your sign-ins’ message its most probably because you have a conditional access policy for the ‘Register security information’ page.

The nudge screen will not be displayed if a user’s sign in is in scope of a conditional access policy that blocks access to the “Register security information” page.

Let’s take for example you have a conditional access policy that blocks users from accessing the ‘Register security information’ page over the internet and limits access to your company’s corporate (local area network).

When a user tries signing in over the internet and uses SMS they will not be shown the nudge (Improve your sign-ins) screen.

Let’s say for arguments sake if Azure AD were to send them to the page where they can set up security info. If we allowed the user to set up new auth methods it would bypass your conditional access policy defined above. Alternatively, it wouldn’t be a pleasant experience if we redirected the user to the nudge screen and then showed them a CA policy error when they tried to set up a new auth method.

Instead, we simply avoid showing the nudge prompt if the current sign-in is not in scope for the ‘Register security info’ conditional access policy.

Hope that makes sense.

AzureAD Restricted Access - Guest Permission Level

1 minute read

ICYMI We introduced a new guest permission level in Azure AD that restricts what guests can view about other directory objects in your tenant.

Screenshot showing table of guest permission levels with new one from Restricted access (new) = Guests can't see membership of any groups

When guest access is restricted, guests can view only their own user profile. Permission to view other users isn’t allowed even if the guest is searching by UserPrincipalName or objectId. Restricted access also restricts guest users from seeing the membership of groups they’re in


Screenshot from Azure Portal showing the new guest user access restriction option. Including "Guest user access is restricted to properties and memberships of their own directory objects (most restrictive)"

Here are some before/after experiences for Guests. This is from the My Groups page (accessed from https://aka.ms/myapps ). The guest goes from being able to see the names and email addresses of other guests in the group to the Groups view being disabled for them.

Image

Similarly, guests with restricted access are also blocked from being able to see a list of groups they are members of.


Image

Finally, PowerShell. By default, guests with limited access will be able to get a list of group members and even traverse up the org chart by looking up managers.

Screenshot of PowerShell commands showing what guests can see.

Restricted access blocks these commands from being run.

Screenshot of PowerShell cmdlets to get-azureadgroupmember, get-azureaduser cmdlets returning Request denied error messages.

This doc has a neat table summarizing the different access levels. Default user permissions - Azure Active Directory

To learn more about the restricted permission, supported apps and config details see Restrict guest user access permissions - Azure Active Directory

If you want to learn how to restrict PowerShell access for guests while staying with ‘Limited access’, that’s a post for another day.

BTW In Teams

Limited Access = Guests can search any user in the tenant by UPN/email and chat with them.

Restricted Access = Guests can only search and chat with users that are in the team/group(s) they have been invited to. They cannot lookup & chat with other users in the tenant